مرکز مدیریت امداد و هماهنگی عملیات رخدادهای رایانه‌ای

ورود به حساب کاربری

‫ Internet Protocol Security

IRCAR2011100118

Date: 2011-10-22

IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec is essentially a way to provide security for data sent between two computers on an IP network. IPsec is not just a Windows feature; the Windows implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.

IPsec is operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model. Hence, IPsec protects any application traffic across an IP network.

IPsec protects data between two IP addresses by providing the following services:

Data Authentication

·Data origin authentication. You can configure IPsec to ensure that each packet you receive from a trusted party in fact originates from that party and is not spoofed.

·Data integrity. You can use IPsec to ensure that data is not altered in transit.

·Anti-replay protection. You can configure IPsec to verify that each packet received is unique and not duplicated.

Encryption

·You can use IPsec to encrypt network data so that is unreachable if captured is transit.

In Windows server 2008 and Windows Vista, IPsec is enforced either by IPsec Policies or connection security rules. IPsec Policies by default attempt to negotiate both authentication and encryption services. Connection security rules by default attempt to negotiate only authentication services. However, you can configure IPsec Policies and connection security rules to provide any combination of data protection services.

Security architecture

The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:

Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary to operate the AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys and Internet Key Exchange (IKE and IKEv2).

Modes of operation

IPsec can be implemented in a host-to-host transport mode, as well as in a network tunnel mode.

Transport mode

In transport mode, only the payload (the data you transfer) of the IP packet is usually encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way. Transport mode is used for host-to-host communications.

Tunnel mode

In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access), and host-to-host communications (e.g. private chat).

In Windows server 2008 and Windows Vista, IPsec is enforced either by IPsec Policies or connection security rules. IPsec Policies by default attempt to negotiate both authentication and encryption services. Connection security rules by default attempt to negotiate only authentication services. However, you can configure IPsec Policies and connection security rules to provide any combination of data protection services. Tunnel mode supports NAT traversal.